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We discuss the Bennett-Brassard 1984 (BB84) quantum key distribution protocol in the light 
of quantum algorithmic information. While Shannon's information theory needs a probability to 
define a notion of information, algorithmic information theory does not need it and can assign a 
notion of information to an individual object. The program length necessary to describe an object, 
Kolmogorov complexity, plays the most fundamental role in the theory. In the context of algorithmic 
\ information theory, we formulate a security criterion for the quantum key distribution by using the 

f"^ . quantum Kolmogorov complexity that was recently defined by Vitanyi. We show that a simple BB84 

protocol indeed distribute a binary sequence between Alice and Bob that looks almost random for 
' Eve with a probability exponentially close to 1. 
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I. INTRODUCTION 

Oh | Cryptography is one of the most important arts in modern society. It enables us to communicate securely with 
our friends who live far away. In 1984, Bennett and Brassard [l[ proposed a simple but also an astonishing protocol 
which is called the BB84protocol. The protocol uses quantum theory as its essential part in achieving unconditionally 
secure key distribution H, HI, HI ■ The security notion of the BB84 protocol is based on Shannon's information theory 
^h Q. Roughly speaking, the security criterion demands that a random variable representing a final key and another 
—t, random variable representing Eve's guess are almost independent. That is, the Shannon entropy of the final key from 
Eve's viewpoint should attain a value sufficiently close to its maximum value. In this paper, we give an alternative 
point of view on this problem. We reconsider the protocol in algorithmic information theory. In the middle of 1960's, 
Kolmogorov 0] and independently Chaitin Q described an innovative idea that makes a bridge between information 
theory and computation theory. While Shannon's conventional information theory treats probability distributions 
. and needs them to define a notion of information, their theory, algorithmic information theory, takes randomness with 
respect to the algorithm as the heart of the information. Their formalism thus does not need a probability to define 
information, and can assign a notion of information to each individual object such as a binary sequence. The theory 
has been applied to problems in various fields including physics Q. As entropy does in Shannon's information theory, 
in algorithmic information theory a quantity called the Kolmogorov complexity plays the most fundamental role. The 
Kolmogorov complexity is defined as the length of the shortest description of an object. Kolmogorov complexity has 
some good properties and behaves rather rationally, as does entropy in Shannon's information theory. Thus, the 
security criterion that we are to consider in this paper should not be based on Shannon's entropy, but on Kolmogorov 
complexity instead. Moreover, since Eve has a quantum state, the Kolmogorov complexity has to be extended to 
be able to treat quantum states as its inputs. That is, a secure final key should have sufficiently large quantum 
Kolmogorov complexity for Eve. 

Recently, some versions of quantum Kolmogorov complexity have been proposed. We employ one of them which was 
defined by Vitanyi [10]. It has a natural interpretation in terms of classical programs for quantum Turing machines. 
In Sec. [Ill we give a brief review of Vitanyi's definition. Its two properties that play important roles in our paper 
are explained. In Sec. IIII A[ we discuss the security that can be attained in a classical communication using a shared 
random binary sequence. We investigate a one-time pad and show that it provides a secure communication also in 
the context of algorithmic information. In Sec. IIII C[ the main part of the present paper, the security proof of the 
BB84 protocol is discussed. We introduce a simple BB84 quantum key distribution protocol and show that it enables 
Alice and Bob to share a binary sequence that looks almost random to Eve with probability exponentially close to 1 . 
In Sec. IIV1 we give some discussion of our results and future problems. 
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II. QUANTUM KOLMOGOROV COMPLEXITY BASED ON CLASSICAL DESCRIPTION 

Recently some quantum versions of Kolmogorov complexity were proposed by a several researchers. Svozil [Til ] . 
in his pioneering work, defined the quantum Kolmogorov complexity as the minimum classical description length 
of a quantum state through a quantum Turing machine [H, EH • As is easily seen by comparing the cardinality of 
a set of all the programs with that of a set of all the quantum states, the value often becomes infinity. Vitanyi's 
definition while similar to Svozil's, does not have this disadvantage. He added a term that compensates for the a 
difference between a target state and an output state. Berthiaume, van Dam, and Laplante [l4| defined their quantum 
Kolmogorov complexity as the length of the shortest quantum program that outputs a target state. The definition 



was settled and its properties were extensively investigated by Muller [15|, [16| • Gacs [lTf employed a different starting 
point related to the algorithmic probability to define his quantum Kolmogorov complexity. 

In this paper we employ the definition given by Vitanyi [ijj. The use of Vitanyi's definition is justified for the 
following reason. Since, as will be seen in the next section, we are interested in the randomness of a classical final 
key for Eve, to consider its classical description is sufficient even if Eve has a quantum state. This way of thinking 
is natural in quantum-information theory. That is, when one is interested in classical outputs, the inputs to be 
considered are also classical. Vitanyi gave a description of a one-way quantum Turing machine and utilized it to 
define a prefix quantum Kolmogorov complexity. A one-way quantum Turing machine consists of four tapes and an 
internal control. (See (Toj for more details.) Each tape is a one-way infinite qubit chain and has a corresponding 
head on it. One of the tapes works as the input tape and is read-only from left-to-right. A program is given on 
this tape as an initial condition. The second tape works as the work tape. The work tape is initially set to be 
for all the cells. The head on it can read and write a cell and can move in both directions. The third tape is called 
an auxiliary tape. One can put an additional input on this tape. The additional input is written to the leftmost 
qubits and can be a quantum state or a classical state. This input is needed when one treats conditional Kolmogorov 
complexity. The fourth tape works as the output tape. It is assumed that after halting the state of this tape will not 
be changed. The internal control is a quantum system described by a finite-dimensional Hilbert space which has two 
special orthogonal vectors \qo) (initial state) and \qf) (halting state). After each step one makes a measurement of a 
coarse-grained observable j | a f ) (q f | , 1 — \qf}(qf\} on the internal control to know if the computation halts. Although 
there are subtle problems fl8l. Tig. I20I [2lj in the halting process of the quantum Turing machine, we do not get into this 
problem and employ a simple definition of the halting. A computation halts at time t if and only if the probability 
to observe qj at time t is one, and at any time t' < t a probability to observe qj is zero. By using this one-way 
quantum Turing machine, Vitanyi defined the quantum Kolmogorov complexity as follows. He treated the length 
of the shortest classical description of a quantum state. That is, the programs of the quantum Turing machine are 
restricted to classical ones. While the programs must be classical, the auxiliary inputs can be quantum states. We 
write U(p, y) — \x) if and only if a quantum Turing machine U with a classical program p and an auxiliary (classical 
or quantum) input y halts and outputs \x). The following is the precise description of Vitanyi's definition. 

Definition 1 Jlw The (self-delimiting) quantum Kolmogorov complexity of a pure state \x) with respect to a one-way 
quantum Turing machine U with y (possibly a quantum state) as conditional input given for free is 

KuQx), | y) := min{Z(p) + \- log 2 | {z\x)\ 2 } : U(p, y) = \z)}, 
where l{p) is the length of a classical program p, and \a~\ is the smallest integer larger than a. 

The one-way quality of the quantum Turing machine ensures that the halting programs compose a prefix- free set. 
Because of this, the length l(p) is defined consistently. The term |~— log 2 |(z|x)| 2 ] represents how insufficiently an 
output \z) approximates the desired output \x). This additional term has a natural interpretation using the Shannon- 
Fano code. Vitanyi has shown the following invariance theorem, which is very important. 

Theorem 1 Jldt] There is a universal quantum Turing machine U , such that for all machines Q there is a constant 
cq, such that for all quantum states \x) and all auxiliary inputs y we have 

Ku(\x)\ y)<K Q (\x)\ y) + c Q . 

Thus the value of the quantum Kolmogorov complexity does not depend on the choice of the quantum Turing machine if 
one neglects the unimportant constant term cq. Thanks to this theorem, one often writes K instead of Kjj. Moreover, 
the following theorem is crucial for our discussion. 

Theorem 2 fldl] On classical objects (that is, finite binary strings that are all directly computable) the quantum 
Kolmogorov complexity coincides up to a fixed additional constant with the self- delimiting Kolmogorov complexity. 
That is, there exists a constant c such that for any classical binary sequence \x), 

mm{l(q) : U(q,y) = \x)} > K{\x)\ y) > mm{l{q) : U{q,y) = \x)} - c 
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holds. 

According to this theorem, for classical objects it essentially suffices to treat only programs that exactly output the 
object. 

III. SECURITY PROOF OF QUANTUM KEY DISTRIBUTION IN THE LIGHT OF QUANTUM 

ALGORITHMIC INFORMATION 

A. Security of one-time pad 

The goal of the quantum key distribution is to distribute a secret key only between legitimate users. In the context 
of algorithmic information, a secret key is nothing but a binary sequence that looks random to Eve. We first show 
that a random binary sequence shared only by Alice and Bob does work for secure communication thereafter. Suppose 
that Alice and Bob share a common binary sequence k 6 {0, 1} M . Eve does not know the sequence except for its 
length. That is, the uncertainty of k for Eve is K(k\M). Suppose that Alice sends a message x <E {0, 1} M to Bob by 
one-time pad. That is, Alice sends a binary sequence x © k 6 {0, 1} M which is known also by Eve. Bob, who knows 
k, can decode it easily to obtain x. In addition, if k is not random, its short description enables Eve to reproduce x 
from any given x © k. Moreover, we can show the following. 

Theorem 3 There exists a constant c (that depends only on a choice of a quantum Turing machine) such that the 
following statement holds. Let M be an arbitrary positive integer and let k G {0, 1} M be a binary sequence. For any 
6 > 0, we define a set Bs C {0, 1} as 

B s := {x\K(x\x ®k,M)< K{k\M) - SM - c}. 

The size of this Bs is bounded by 

\B S \ < 2^ M . 

Proof: See Appendix [Bj 

The following corollary is obvious. 

Corollary 1 There exists a constant c such that the following statement holds. Let M be an arbitrary positive integer 
and let k G {0, 1} M be a binary sequence that looks random to Eve, who knows its length only. That is, K{k\M) > M 
holds. For any S > 0, we define a set Bs C {0, 1} as 

B s := {x\K{x\x © k, M) < (1 - 5)M - c}. 

The size of this Bs is bounded by 

| fl5 | < 2 (i-a)M_ 

The size \Bs\ in this corollary is thus much smaller than |{0, 1} M | = 2 M . This corollary shows that, if Alice and Bob 
share a random binary sequence only between them, they can achieve a secret communication by one-time pad. 

Let us note a remark. One may wonder whether one can show that the size of a set {x|X(a;|x © k,M) < M — c} 
is exponentially small compared with |{0, 1} M | = 2 M . It is not possible because many a;'s have a small Kolmogorov 
complexity even if Eve does not know x © k. For instance, the Kolmogorov complexity of x = 00 ... 00 G {0, 1} M is 
almost vanishing. Thus even |{a;|-ftT(a;|M) < M — c}\ can be comparable with 2 M , while |{a;|if(x|M) < (1 — <5)M — c}| < 
2 (i-s)M holds fo r c > 0. 



B. BB84 protocol 

As was discussed in the last section, if Alice and Bob share a binary sequence that is random for Eve, they can 
communicate securely by using the sequence. Our goal in the following is to show that a quantum key distribution 
indeed achieves this distribution of a random binary sequence. In this section, a concrete protocol to be analyzed is 
introduced. We consider a quantum key distribution protocol that uses a preshared secret key for error correction 
and uses a public linear code for privacy amplification. Although there are more sophisticated or realistic ones, we 
treat one of the simplest protocols since our aim is to present a different viewpoint from the algorithmic information. 
Let us introduce the protocol. 
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(i) Alice encodes a probabilistically [221 ] chosen 27V bit classical sequence to a quantum state of 2iV-qubits with 
respect to a probabilistically [22| chosen basis b 6 {+, x} 2Jv . 

(ii) After confirming Bob's receipt of all the sent qubits, Alice announces the basis b. Bob makes a measurement 
with the basis b on his qubits to obtain an outcome. 

(iii) Alice probabilistically [H| chooses half the number of 2N bits T C {1,2,..., 2N} (\T\ = N), which are called 
test bits. The remaining bits / := {1,2,..., 2N} \ T are called information bits. Alice announces T and the 
classical sequence zt S {0, 1}^ which was encoded to the test bits. 

(iv) Alice and Bob check the error rate in the test bits by public discussions. If the error rate is larger than a 
preagreed threshold p, they abort the protocol. 

(v) Alice and Bob perform an error correction by the one-time pad using a preshared secret key. They consume 
Nh(p) + const secret bits for this procedure. 

(vi) Alice and Bob perform a privacy amplification. (See below for the details.) 

After error correction, Alice and Bob have a common sifted key x £ {0, 1} N (information bits). On the other 
hand, Eve has a quantum state that may be correlated with x. Due to this correlation, Eve may have a part of 
the information on x. Alice and Bob, therefore, cannot use x itself as the final key. Privacy amplification is a 
protocol that extracts a shorter final key which cannot be guessed by Eve at all. The privacy amplification in our 
protocol is performed by use of a linear code. All players including Eve know a set of linear independent vectors 
{vi,i>2, ■ ■ ■ ,vm} C {0, 1}^ which span a linear code C. The vectors could be announced before the whole protocol. 
Its Hamming distance d(C) = min{|u| : v ^ 0, v E C} is assumed to satisfy d(C) > 2N(p + e), where p is the allowed 
error rate in test bits and e > is a small security parameter. The final key is obtained from the sifted key by a 
function / : {0,1}^ — > {0,1} M which is defined as 

f(x) = x ■ v := (x ■ vi,x ■ v 2 , ■ • ■ ,x ■ v M )- 

Eve's purpose is to obtain knowledge of f(x). 

C. Security proof 

Suppose that Alice has chosen a basis b G {0, 1} 2N , test bits T, a value of the test bits zt € {0, 1} N , and Bob has 
obtained z' T 6 {0, 1}^ as the value of the test bits. After (v) in the above protocol Eve also knows all of them. As is 
well-known, one can view the protocol also from an Ekert 1991 protocol (E91) like setting. In the E91 like setting, 
after the error correction there is an entangled state over Alice's information bits, Bob's information bits and Eve's 
apparatus. We denote the state as Pb,T,z T .z' T - Alice makes a measurement Xa = {|x)(x|} on her information bits to 
obtain a sifted key x £ {0, 1}^. This measurement changes the state on Bob's information bits and Eve's apparatus 
[24j . We denote the a posteriori state on Bob's information bit and Eve's apparatus as p x ,b,T,z T ,z' T - We further write 
its restriction on Eve's apparatus as p^ b T Zt z , . Eve's purpose is to extract information on the final key f(x) from this 

quantum state and her knowledge, b, T, zt, z' t , and /. Therefore in the context of quantum Kolmogorov complexity, 
Eve's uncertainty on the final key is written as K(f(x)\p^ bT zt z , , /, b, T, zt, z' t ) [23|. We prove the following theorem. 

Theorem 4 There exists a constant c (that depends only on the choice of the quantum Turing machine) such that 
the following statement holds. For any N , any p, any e > 0, any independent vectors {v\, %)%,..., vm} whose span C 
satisfies d(C) > 2N{p + e), and any S > 0, 

Pr (K{f{x)\p% b ^ ZT ^J, b, T, z T , z' T ) <M-SN-cA\z T ®z T \< Np) < 2~ m + 3e~^ N 

holds. 
Proof: 

We fix a universal quantum Turing machine U and discuss the values of the quantum Kolmogorov complexity with 
respect to it. Since f(x) is classical, to discuss the quantum Kolmogorov complexity of f(x) it essentially suffices to 
consider programs that exactly output f(x) thanks to Theorem^ For each output x 6 {0, 1} M , there is a shortest 
program t Xj b,T,z T ,z' T (take an arbitrary one if it is not unique) that produces f{x) exactly as its output with auxiliary 
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inputs p^ b T Zt z , and /, b, T, zt, z' t . Although the ^^^t.zt.z^'s ma Y have different halting times, thanks to a lemma 
proved by Miiller (Lemma 2.3.4. in [IB]), there exists a completely positive map (CP map) Tu : Yi(Ha®Hi) — * ^{Ho) 
satisfying 

T u{p^ b , T ,z T ,z' T ® I^at^.^X^at,^,^,!) = |/(ar))(/(x)|, 

where is the Hilbert space for the auxiliary input and Hi is the Hilbert space for programs and Ho — ® M C2 is 
the Hilbert space for outputs, and T,(H) denotes the set of all the density operators on H. 

For a while we proceed with our analysis for fixed b, T, zt, z' t . For each t £ {0, 1}* (a set of all the finite length binary 
sequences), let us define a set £ b < T < ZT ' z T (- jjJV as g^< <zt,z t _ j^j t x ^T,z T ,z' T = 0- That is, for each x e £^ t - z t-z t 
the program t with auxiliary inputs p^ b T ZT z i and /, b, T, zt, z' t produces exactly f(x). The set is further decomposed 
with respect to their outputs as £^ T ' Zt > z t _ U2,£ t ' T ' ZT ' ZT (y), where £ b ' T ' ZT ' ZT (y) := {x\ t x ,b.T.z T ,z' T — t-f(x) = v}- 
That is, for each x £ £^,t,z t ,z t ^ ^ e program t with an auxiliary input p^ b T Zt z , , /, b 1 T, zt, z' t produces y. Since 
the CP map Tu does not increase distinguishability among states, for any x S g b ' T}ZT > z T ^ anc i x > g gb,T,z T ,z T wr (;h 
2/ 7^ y'j pfh t z T z' an< ^ /°x' bT z T z' mus t be completely distinguishable. We denote by j^ T ' Zt - z t ._ {E^' T ' Zt ' Zt (y)} y 
a projection valued measure (PVM) that perfectly distinguishes states which belong to different y. That is, 

tr(E$> T > ZT ^(y)p* biTiZT , z/T )=6 f(x)y (1) 

holds for each x and j/. 

Let us consider the problem in an E91 like setting. Now Alice, Bob, and Eve have a state Pb,T,z T ,z' T over their 
systems. For an arbitrary fixed finite L c {0,1}*, let us consider an observable over Alice's information bits and 
Eve's apparatus; 

J>,T,z T ,z' T \ " \ " A b.T.z T ,z' T , x w b.T,z T ,z' T 



where A^' T '' Zt ' Zt (y) is defined as 



A b,T,z T ,z' T{y) . = £ 



One can easily show that this Q£ ' Zt ' Zt j s a projection operator. We hereafter consider an expectation value of 
this projection operator with respect to the state Pb,T,z T ,z' T - (Q b / T ' ZT ' ZT is naturally identified with an operator 
Q£ T ' Zt ' Zt (g) \ B on Alice, Bob, and Eve's tripartite system.) One can write it as follows: 

te{Pb,T,z T ,z' T Q b L T ' ZT ' ZT ) = (Q b L T ' ZT ' ZT }b,T,z T ,z' T 

= EE E <I^X*l ® ^' T ' ZT '^(y)) fc ,T, ZT ,^, 

where we put ( ■ )b,T,z T .z' T — ^ r {Pb,T,z T ,z' T 1 )■ If we consider Alice's measurement = on her information 

bits and denote by p(x\b,T, zt, z' t ) the probability to obtain x, it is represented as 

EE E {\x){x\®E b t > T ^{y)) h ^ z , T 

teL y b,T,z T ,z' T 

x££ t (y) 

"EE E P{ X % T ^T,ZT)tT(p XibtTtZT y T E t ' T ' ZT ' ZT (y)) 



teL y x ^,T,. T y T(v) 



EE E P (x\b,T,z T ,z' T ) = Pr(xe\j£ b t ' T ' ZT ^\b,T,z T ,z' T Y 



(2) 
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where we have used the condition |T|). 

In addition, this quantity can be represented in a different form (see Appendix [Q for its proof). 

Lemma 1 Suppose that Alice virtually makes a measurement on her information bits with a PVM Za ■= {\z){z\} 
which is conjugate to Xa — {\x){x\} that is actually measured to obtain a sifted key, and Bob virtually makes a 
measurement on his information bits with Zg := {|"z)(z|} which is conjugate to Xb that is actually measured. We 
denote their outcomes zi and z'j. It holds that 

tr( Pb ,T, ZT ,z> T Q b L T ' ZT ' Z ' T ) < \L\2- M + ^Pr{\z I ®z' I \> N{p + e)\b,T,z T ,z' T ), (3) 

where the second term in the right hand side is the square root of the probability to obtain distant zj and z\ with 
respect to a state Pb,T,z T ,z' T - 

Combining these different expressions ^ and we obtain 



\ teL 



J ' r ' ZT ^\ b,T,z T ,z T j < \L\2~ M + 3yTr(|^e4l > N(p + e)\ b,T,z T ,z' T ). 
Now if L is taken as L := {t\ l(t) < M — SN}, since \L\ < 2 M ~ SN holds the above inequality can be rewritten as 



Pr U (J e b t ' T ' ZT ' z ' T \ b,T,z T ,z' T < 2- 5N + 3 v /Pr(|z / ©z;| > N(p + e)\ b,T,z T ,z' T ). 

\ t:l(t)<M-8N J 

Thanks to Theorem^ there exists a constant c such that, if a; satisfies K(f{x)\p^ b T ZT z i , b, T, zt, z' t , f) < M—SN—c 
then l{t x fi,T,z T ,z' T ) < M — 5N follows. That is, we obtain 

Pi^K(f(x)\p^ ATtZTtZ , T ,b,T,z T ,z^f)<M-SN-c\ b,T,z T ,z' T ) <2~ SN 



(\z! ® z'j\ > N(p + e)\ b,T,z T ,z' T ). 



We multiply both sides of this inequality by p{b, T, zt,z' t ) which is defined as the probability to obtain b, T, Zy, z' T and 
take a summation with respect to &, T, zt, z' t for all b, T, and zt, z' t with \zr ® z' T \ < Np, and use Jensen's inequality. 
We finally derive 



Pr 



AN 



(K(f(x)\pl btT ^ T ,b,T,^,z! r J)<M-6N-eA\zT®z^\<Np > j < Pr {\z T ® z' T \ < Np) 2 

+3^Pr(\z T ®z' T \ <Np)^Pr(\zi®z' I \ > N{p + e),\z T © z' T \ < Np). 

The second term of the right hand side is bounded by Hoeffding's lemma as Pt(\zj © z\\ > N(p + e), \z T ffi z' T \ < 
Np) < e~^~ N (see e.g. |5[). We thus obtain 

Pr (K(f(x)\pl hTtZTtZ , T , b, T, z T , z' T , f)<M-6N-cA\z T ®z T \< Np) < 2~ SN + 3e~T^. 

This ends the proof. Q.E.D. 



IV. DISCUSSIONS 



In this paper, we considered the security of the quantum key distribution protocol in the light of quantum algorithmic 
information. We employed the quantum Kolmogorov complexity defined by Vitanyi as the fundamental quantity, 
discussed a possible security criterion, and showed that the simple BB84 protocol satisfies it. According to the main 
theorem, a probability for Eve to obtain an almost random final key is exponentially close to 1. The length of the final 
keys M is determined by a condition for the Hamming distance. One can take it as M ~ N(l — h(2(p + e))). Since 
the legitimate users have consumed Nh(p + e) bits for the error correction, the length of the key produced amounts 
to N(l — h(2(p + e)) — h(p + e)). It coincides with the rate obtained in [f| where the security criterion was based on 
Shannon's information theory. 
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Although we hope that the present work can be a first step toward the study of quantum cryptography from the 
viewpoint of quantum algorithmic information, there still remain a lot of things to be investigated. The security crite- 
rion employed in this paper utilizes the quantum Kolmogorov complexity, but it still needs the probability. Therefore, 
the original motivation of the algorithmic information theory, in some sense, has not been perfectly accomplished. 
Comparison between security notions based on algorithmic information and Shannon's information is an important 
future problem to be considered. While the simple BB84 protocol satisfies both criteria, it is not clear whether one 
can be derived from another in some sense. The relation between these criteria will become more subtle if we will 
deepen our algorithmic information theoretical discussion so as to avoid an appearance of probability completely. 
For instance, as was shown, in the one-time pad protocol, while an individual secret key cannot be discussed in the 
conventional Shannon's information theory, it can be treated in the algorithmic information theory. In addition, as we 
noted in Sec. HH there are some other definitions of quantum Kolmogorov complexity. It is interesting to investigate 
whether one can apply them to the security problem. Application of our argument to other protocols will be another 
interesting problem. 
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APPENDIX A: TECHNICAL LEMMAS 

Lemma 2 . For any state p and any projection operators Q and P , it holds that 

\tr( P Q) - tr{PQP)\ < 3tr{p{l - P)) 1 ' 2 . 
Proof: Since 1 = P + (1 — P) holds, Q can be decomposed as 

Q = 1Q1 = PQP + PQ(1 - P) + (1 - P)QP + (1 - P)Q(1 - P). 

Thus we obtain 

\tr(pQ) - ti(pPQP)\ < \tr(pPQ{l - P))| + |tr(p(l - P)QP)\ + |tr(p(l - P)Q(1 - P))|. 
The Cauchy-Schwarz inequality bounds the first term in the right-hand side as 

|tr(pPQ(l - P))| = tr(pPQP) 1/2 tr(p(l - P)) 1/2 < tr(p(l - P)) 1/2 . 
Other terms can be bounded in a similar manner. This ends the proof. Q.E.D. 

Lemma 3 For given linearly independent vectors {vi,V2, ■ ■ ■ ,vm} C {0,1}^, we define f : {0,1}^ — > {0, 1} M as 
f(x) = (x x • V2, ■ ■ ■ , x- vm)- Let C be a code generated by {v\, V2, ■ ■ ■ , vm} cind d(C) be its Hamming distance. For 
s,t£ {0,1}^ satisfying \s\,\t\ < and for any y 6 {0, 1} M , 



(-l)*-('ffl*> = 8 st 2 T 

x:f(x)=y 



holds, where 8 s t is Kronecker's delta. 



Proof: If we fix an element w y € {0, 1}^ satisfying f(w y ) — y, {x\f(x) = y} is represented as w y (B C^. Thus we 
obtain 

V" (_l)z-(s©*) = (_i)«>» •(»©*) V" (_i)*-(se«)_ 

x:f(x)=y igC 1 

For s © t e C, it gives 2 N ~ M (-l) w y< s<st \ Since \s®t\< \s\ + \t\ < d{C) holds, s®teC means s = t. For s 8 * £ C, 
thanks to Lemma D.l in 

(_l)z-(s©*) = o 

holds. This ends the proof. Q.E.D. 
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APPENDIX B: PROOF OF THEOREM [3] 

Proof of Theorem [3] According to the fundamental properties [9( of Kolmogorov complexity it is known that 

\K(x,k\M) - (K(k\M)+K(x\k,K(k),M))\ < ci 

holds for some constant c\. (The proof also holds for the quantum Kolmogorov complexity thanks to Theorem [2]) 
For a fixed 8 > 0, we define a set T>s C {0, 1} M as 

V s := {x\K(x\k, K(k),M) < (1 - S)M}. 

It can be easily shown that \V$\ < 2( 1 ~ (5 ) M holds. Now let us consider its complement V$ — {x S 
{0, l} M |A-(a;|fc, A-(fc),Af) > (1 - 5)M}. For x 6 V% K(x,k\M) > K(k\M) + (1 - 8)M - ci holds. By the way 
we have, in general, 

K(x, k\M) = K(x © k, k\M) + c 2 < © fe|M) + K(a;|ir © k, M) + c 3 
for some C2, C3. Thus, for x £ PJ, we have 

K{x © k\M) + if (s|a; © k, M) + c 3 > #(fc|M) + (1 - <5)M - c x . 
Since if(x © /c|Af) < M + C4 holds for some C4, if we put c = ci + C3 + C4 we obtain 

#0|a; © k, M) > K(k\M) - 5M - c 
for x E V%. Thus V% C S| and £5 C V & holds. Thanks to \V & \ < 2( 1 ~< 5 ) M , this ends the proof. Q.E.D. 

APPENDIX C: PROOF OF LEMMA Q] 

Proof of Lemma [J Let Pb,T,z T ,z' T be a state over Alice's information bits, Bob's information bits, and Eve's 
apparatus. Suppose that Bob virtually makes a measurement of Zb = {\z){z\} on his system (information bits). 
This observable is conjugate with Xb, which is actually measured by Bob to obtain a sifted key. Suppose that Bob 
obtains an outcome z'j. We denote by p(z'j\b, T, zt, z' t ) a probability to obtain z\. The a posteriori state on Alice's 

information bits and Eve's apparatus is denoted as p y r, * r > z T _ 

Define a projection operator Pj on Alice's information bits as 

\s\<N(p+e) 

Applying Lemma [2] with P b ; T — P, Q h ' T > ZT ' ZT = Q anc | n '?' Zt ' Zt — p, we obtain 

\{Q L jb^ZT,^^ ~ {P z > r Q L r z'j < -r z , ) b ^ T ,z Tl z' T ,z^ 

where we put ( • )b,T,z T ,z' T ,z' I = tr(p^', T,ZT ' ZT ( • )). In addition, if we introduce A b ' T (y) :— \x)(x\, it satisfies 

A h ' T (y) > A b .' T ' ZT ' Zrr (y). Thus one can easily show that 

tei y 

holds. It follows that 

p b ; T Q b^r,z T ,z> Tp b ; T <J2J2 P h z ?A b ' T {y)P b z ? ® E h t ^ ZT ^ (y). (C2) 
tei v 
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Combining Eqs JCip and (|C2J> . we obtain the inequality 



t£L y 

(P z ! T A b ' T (y)P z i T <S) E^ T ' Zt ' Zt (y))i, _t ,z t ,z' t ,z'j m the first term on the right-hand side of Eq. (|C3p is estimated as follows. 

Suppose that, with respect to p b ^' ZT ' ZT , Eve made a measurement of the PVM E b ' T ' ZT ' z T anc j obtained y. The 
probability to obtain y is denoted as p{y\b, T, zt, z' t , z'j). The a posteriori state over Alice's information bits is 
denoted as p'7' Zt,Zt . We write its diagonalization as p b '7' ZT ' ZT — Yl v <M<^i/)(</>i/|- The vector \<f> v ) has a expansion 
\<P») = EXI4®^>- Now (<l>v\ P z7 Ab ' T (y) P zf\<t><') is calculated as 

\s\<N(p+e) \t\<N(p+e) 

(<f> u \P b z rA b < T (y)P b z f\^) = E ^<(4®7|^ T (y)|4¥7) 

s t 

|s|<W(p+e) |*|<JV(p+e) f(x)=y 



J2 E E c-ir (set) < 2- 



where we have used lemma [3] and |c^| 2 — 1 to obtain the last inequality. We thus obtain for each y and z f j 



{P b ; T A b ' T (y)P b ; T ® j^b,T,ZT ,z' T fy\\^ 

' z i Vi " z i * \yilb,l,z T ,z T , Zl l-pb,T Ab,T(.\T>b,T\ ^ -M 

p(#jI>Tj4;4) = A ■ MP, , >6,T,* r ,, i . 1 4,» < 2 . 

Multiplying both sides of this inequality with p(y\b, T, Zt, z' t , z'j) and summing it up with respect to y, we obtain 



v 

Summation of this inequality over t £ L further gives 



^tr(p^^(P^^( y )P^0^^( y ))) <2- 



We next estimate the second term 3(1 — P b / T )\^ ZT z > z > in Eq. (|C3p . This term can be represented in a simple form by 

considering Alice's measurement on her information bits with Za '■— {|^7)(^7|} which is conjugate to Xa — {|x)(a;|} 
that is actually measured to obtain a sifted key in the E91 like picture. One can show 

(l-P z b ; T ) fo ,T, ZT ,4,4 =Pr(|z 7 ©4| >N(p + e)\ b,T, z T , z' T , z'j) , 

where the right-hand side is the probability for Alice to obtain a distant Zi from Bob's z'j. Combining the above 
estimates, we obtain 



(Q^ T ' ZT < Z -) &XZT ^ 4 < |L|2- M + 3^Pr(| 2/ ©z;| >N(p + e)\ b,T, z T , z' T , z'j). 
We multiply both sides of this inequality by p{z'j\b, T, zt, z' T ) and take a summation over z'j to obtain 



(Q h L T ' ZT ' z ' T )b,T, ZT , z > T < \L\2- M + 3^Pt(\zj(Bz'j\ >N(p + e)\ b,T,z T ,z' T ), 
where we have used Jensen's inequality once. Q.E.D. 
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